Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
144s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/10/2024, 03:47
Static task
static1
Behavioral task
behavioral1
Sample
2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$R0.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$R0.dll
Resource
win10v2004-20241007-en
General
-
Target
2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe
-
Size
2.9MB
-
MD5
2a41b8df5b88e7e57ad356486e45ae11
-
SHA1
79c84e0684aefc93c039b7405dbcb3650bc1c0ce
-
SHA256
a3528d1769254239abf14c2a3271ba710a91d23cadfbce619fba6d99495ede91
-
SHA512
2b96ea703dea11564816d3067872c7c5ac7c8d692d0b2931e446ab3d2716a48ea90dce65865abc76252bb4ba827b68061ef270b5f4443e7313a74b20d824989f
-
SSDEEP
49152:lnqLvvJ9Fod/OpY1Jf+YvoVkXrYErnuKlAhUpd01RMEEWIjf5EfdNQmvLc1UGn:ZqjTyop1CrYsuKlAhUpCMEEFjf5YLzjC
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Loads dropped DLL 4 IoCs
pid Process 2200 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe 2200 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe 2200 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe 1232 regsvr32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\MultipleSearchReplaceShellExt.dll 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe File created C:\Windows\system32\MultipleSearchReplaceShellExt.dll 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe -
Drops file in Program Files directory 15 IoCs
description ioc Process File created C:\Program Files (x86)\4dots Software\Multiple Search and Replace\Uninstall.exe 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe File created C:\Program Files (x86)\4dots Software\Multiple Search and Replace\MultipleSearchReplace.chm 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe File created C:\Program Files (x86)\4dots Software\Multiple Search and Replace\regexp.txt 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe File created C:\Program Files (x86)\4dots Software\Multiple Search and Replace\itextsharp.dll 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe File created C:\Program Files (x86)\4dots Software\Multiple Search and Replace\4dots Software Product CATALOG.url 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe File created C:\Program Files (x86)\4dots Software\Multiple Search and Replace\license_agreement.rtf 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe File created C:\Program Files (x86)\4dots Software\Multiple Search and Replace\replace2.ico 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe File created C:\Program Files (x86)\4dots Software\Multiple Search and Replace\settings.xml 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe File created C:\Program Files (x86)\4dots Software\Multiple Search and Replace\MultipleSearchReplace.exe 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe File created C:\Program Files (x86)\4dots Software\Multiple Search and Replace\ICSharpCode.SharpZipLib.dll 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe File created C:\Program Files (x86)\4dots Software\Multiple Search and Replace\QuitOfficeApplications.exe 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe File created C:\Program Files (x86)\4dots Software\Multiple Search and Replace\4dotsLanguageDownloader.exe 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe File created C:\Program Files (x86)\4dots Software\Multiple Search and Replace\PdfSharp.dll 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe File created C:\Program Files (x86)\4dots Software\Multiple Search and Replace\unrar.dll 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe File created C:\Program Files (x86)\4dots Software\Multiple Search and Replace\ddb.dat 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 13 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\MultipleSearchReplace\ = "{FE97F5AD-DDC7-4038-B972-1F7FA072B7E7}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{8D123B0D-E6B3-4EA2-A47A-A526FD6D0373} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{8D123B0D-E6B3-4EA2-A47A-A526FD6D0373}\ = "MultipleSearchReplaceExt" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MultipleSearchReplaceExt.DLL regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE97F5AD-DDC7-4038-B972-1F7FA072B7E7}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\MultipleSearchReplace\ = "{FE97F5AD-DDC7-4038-B972-1F7FA072B7E7}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\MultipleSearchReplace regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\MultipleSearchReplace regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MultipleSearchReplaceExt.DLL\AppID = "{8D123B0D-E6B3-4EA2-A47A-A526FD6D0373}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE97F5AD-DDC7-4038-B972-1F7FA072B7E7} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE97F5AD-DDC7-4038-B972-1F7FA072B7E7}\ = "MultipleSearchReplaceShellExt Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE97F5AD-DDC7-4038-B972-1F7FA072B7E7}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FE97F5AD-DDC7-4038-B972-1F7FA072B7E7}\InprocServer32\ = "C:\\Windows\\system32\\MultipleSearchReplaceShellExt.dll" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4456 msedge.exe 4456 msedge.exe 4052 msedge.exe 4052 msedge.exe 2156 identity_helper.exe 2156 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe 4052 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2200 wrote to memory of 1232 2200 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe 86 PID 2200 wrote to memory of 1232 2200 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe 86 PID 2200 wrote to memory of 4052 2200 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe 90 PID 2200 wrote to memory of 4052 2200 2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe 90 PID 4052 wrote to memory of 2976 4052 msedge.exe 91 PID 4052 wrote to memory of 2976 4052 msedge.exe 91 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4440 4052 msedge.exe 92 PID 4052 wrote to memory of 4456 4052 msedge.exe 93 PID 4052 wrote to memory of 4456 4052 msedge.exe 93 PID 4052 wrote to memory of 616 4052 msedge.exe 94 PID 4052 wrote to memory of 616 4052 msedge.exe 94 PID 4052 wrote to memory of 616 4052 msedge.exe 94 PID 4052 wrote to memory of 616 4052 msedge.exe 94 PID 4052 wrote to memory of 616 4052 msedge.exe 94 PID 4052 wrote to memory of 616 4052 msedge.exe 94 PID 4052 wrote to memory of 616 4052 msedge.exe 94 PID 4052 wrote to memory of 616 4052 msedge.exe 94 PID 4052 wrote to memory of 616 4052 msedge.exe 94 PID 4052 wrote to memory of 616 4052 msedge.exe 94 PID 4052 wrote to memory of 616 4052 msedge.exe 94 PID 4052 wrote to memory of 616 4052 msedge.exe 94 PID 4052 wrote to memory of 616 4052 msedge.exe 94 PID 4052 wrote to memory of 616 4052 msedge.exe 94 PID 4052 wrote to memory of 616 4052 msedge.exe 94 PID 4052 wrote to memory of 616 4052 msedge.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2a41b8df5b88e7e57ad356486e45ae11_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\MultipleSearchReplaceShellExt.dll"2⤵
- Loads dropped DLL
- Modifies registry class
PID:1232
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.4dots-software.com/multiple-search-replace/?afterinstall=true&version=5.52⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1ad246f8,0x7ffd1ad24708,0x7ffd1ad247183⤵PID:2976
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:23⤵PID:4440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:4456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:83⤵PID:616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:13⤵PID:4556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:13⤵PID:3676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:83⤵PID:3788
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:2156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:13⤵PID:1124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:13⤵PID:2448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:13⤵PID:2184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,15165520078178836418,9896017807978339794,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:13⤵PID:3116
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:388
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1060
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
958KB
MD552b67d8b4b8d6c1cf8035b88a7f1b3cc
SHA143ffd2bb7ff726b829e040b0f65e3aea08f1ed90
SHA256fe66807a5bb7449d8081befd70c58a3ffb85ad70fd05803578c5524c51659f08
SHA51204e2f5c9619d8329038028194b91ac5c55e530869380b27e01f0db812d22d9939d2db8f0a374d679bbae0a0adcfff5f9da86bffcdfe469053b3685d8970d14c6
-
Filesize
152B
MD5e443ee4336fcf13c698b8ab5f3c173d0
SHA19bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA25679e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd
-
Filesize
152B
MD556a4f78e21616a6e19da57228569489b
SHA121bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize96B
MD51e39b9ae0fe45cd48f8abb9c0998ffbc
SHA1c30b62cee4b7af1b84263a531d5e73acb0a21874
SHA256e7bd2181ff10eacae4eaaa66c217b22409bff14e0a7b89dfbeec8ba0c73dadfb
SHA512755f1bb9ed28bccd6823c42a68235941afe274c8703137907a529a33e3c5dc9d3f02c675364dfcbf85c55bb494150aa4eb3f9f3cbcb7bd6bd248bbc36aff7328
-
Filesize
791B
MD5d70d09e415587ef2394a5471420d7ebf
SHA1c566248b4f3f26bea24038b3d4da0176d1a2cf72
SHA256840d2cddff0bc9fca2c21fbd313f0b1cf7fc22713a30bc34f842934c7f170cf7
SHA5129ab52b92f53f139ea353f4a1d1aebd52ace1d64b75a5d2d25fd96c865c231f23b4898e86128e4688ea4ad53102aa8807174fee2eb5e2318cf0e0980db55d524e
-
Filesize
6KB
MD5bef4ad931ac5c6beb59a4cc8332eec69
SHA1635903f62fac520d2746c4e6c8b7a101b850ca56
SHA256b4ce0ed5c03330398ae362c375b13d9e047d3e050aaebb27f37c50852ff34c59
SHA512288eb90fbdb13374a0f30f97dd5d8e8714dcd0d69914d3fb448e8243b288d6e497840b79f79e29d362458362f7a94f51921e9aa3c46f54ed93c1819566c3d133
-
Filesize
6KB
MD5b485c1b4f32c0dc86c54679936fc432b
SHA10ad33a057b436630e5126db583cdfab7bdcfb2d9
SHA256912187e98fb97133f5cf24936d01c35008eb602ea7e710a70f5f6b0a75b88c65
SHA5126035f929ce9b8a26e29503318819bfa2284ffbd0135d60a6523f9916e172947bf8e417fff62f2d12a8e0da8b87cf8ba22f752e410f7196c0df26658c0b3e8e0e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD507a2faaec7414ac27814f057086eb5d3
SHA1d0acf4cfc9271845efd33594cf5993dc7c7f558d
SHA256618af14f6b82efa84f438eb239308a69e9219866218913aa6e39f58bd5f38c2c
SHA512ba66edb7512424877d950dc39b6cffaf68fb303a8e005b7052f2906985b368790e9d54e7a10dc8e19ea34a0db3c9d9df0386675950dfe24efbcbb436c85c4b7f
-
Filesize
14KB
MD58d5a5529462a9ba1ac068ee0502578c7
SHA1875e651e302ce0bfc8893f341cf19171fee25ea5
SHA256e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790
SHA512101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462
-
Filesize
652B
MD5fc0ba3a0e1253b333ea6800fd4232f99
SHA17f2daa9a6167b890a32ee15e28ef025a62a3b5ac
SHA2560268497d9e082eff583dbba0b68251857d8585b28833edeaf844ddd17f2175ee
SHA512b98fdda2e63b96443899e379a43151d8c6e1baff63a33c8e99deb2c63d358e8e17d36ef8e454b0a23c7149b9a0cdcd0cecea80ca4783153a740d2a58bedc9a8f
-
Filesize
578B
MD57b9b7c8a97c1afdd562bd9cfa82c2be6
SHA1cf1a6d6c630d2a80a94f40ad1cc617e16c3aad5c
SHA2560654e9d3880d9ff6b693b4ba1ce531cb81e2c0039e9d5ec9daf2531d313f3ba1
SHA5122afada6aaf33cf78140f666a2a17fa706bea73df2406ccf7767fc3345ba6ed61cc60b4c300313569bdaad0f7ed2767d9b2e9193864dfaa52bc6991c8a4d268d2
-
Filesize
11KB
MD5b0c77267f13b2f87c084fd86ef51ccfc
SHA1f7543f9e9b4f04386dfbf33c38cbed1bf205afb3
SHA256a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77
SHA512f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e
-
Filesize
25KB
MD5cbe40fd2b1ec96daedc65da172d90022
SHA1366c216220aa4329dff6c485fd0e9b0f4f0a7944
SHA2563ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2
SHA51262990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63
-
Filesize
9KB
MD5eac1c3707970fe7c71b2d760c34763fa
SHA1f275e659ad7798994361f6ccb1481050aba30ff8
SHA256062c75ad650548750564ffd7aef8cd553773b5c26cae7f25a5749b13165194e3
SHA5123415bd555cf47407c0ae62be0dbcba7173d2b33a371bf083ce908fc901811adb888b7787d11eb9d99a1a739cbd9d1c66e565db6cd678bdadaf753fbda14ffd09
-
Filesize
33KB
MD5ace9f19e19a07de0fe7e0f1e858a523c
SHA1898c63c2f9c32d1148f8618a6f9dee89984a8f9d
SHA2567e79de7c3ef68b615e86a732597a8022de71a14d81be4b4978db39a67cfc3d57
SHA512a2e32fe5c3652824572f8f1a9a7b145e1c17cb6fbffa52903cffa548f450df89d996b933f95726bb514dfaa16c7d9b2ffa1caedf6ccbf6f1a577b48b0b052ebb